Google Fined $22.5 Million by FTC on Privacy Policy Violations

Google was fined $22.5 million by the Federal Trade Commission, which pointed to the company's misrepresentations on privacy protections.

In an announcement on Thursday, the FTC described the fine as "the largest penalty ever for violation of a commission order." The order, in this case, extends back to a previous settlement with the FTC associated with Google's Buzz social networking application, where Google agreed to be transparent on its privacy policies. The FTC has now slapped a $22.5 million penalty on Google after reviewing additional privacy policy violations by Google over several months since 2011. The new violations this time involve the Apple Safari browser and the ability of users to opt out from ad tracking when visiting sites associated with Google's DoubleClick ad network.

Google had informed users of its services that the Safari browser's setting that permits users to opt out of ad tracking would be sufficient to avoid so-called "third-party" ad tracking. However, Google added code that would ensure that Safari users would get a tracking cookie sent to their computers, even if users had opted out via the Safari setting. Most Safari users likely expected to have their privacy protected from ad tracking since the Safari browser blocked these so-called "tracking cookies" by default.

Exactly how Google was able to defeat Safari's privacy protections was described by Ed Felten, chief technologist at the FTC. Essentially, tracking cookies are allowed by Safari if form information is sent to a site by the browser. Google added JavaScript code that made it seem that the Safari browser was sending form information. Consequently, a tracking cookie would be set, accessible by all third-party advertisers, regardless of the user's privacy setting in Safari.

Felten added that Safari users who opted out of tracking during the period in which Google was using this method likely got a Google DoubleClick tracking cookie set on their computers, but those cookies are being removed.

"As part of the settlement, Google agreed to destroy as many as possible of the DoubleClick tracking cookies placed on Safari users' computers during the relevant period," Felton wrote. "To its credit, Google started destroying those cookies early, without waiting for the settlement to be finalized, so virtually all of the relevant cookies should be gone by now."

Essentially, Google was penalized for contempt, according to sole dissenting FTC Commissioner J. Thomas Rosch. He explained why he didn't join the majority opinion against Google by noting that the consent decree contained "a denial of liability." Rosch appears to be arguing that allowing the denial of liability to stand sends the wrong message. He added that the penalty was too little.

"Fourth, it may be asserted that a denial of liability is justified by the prospect of a $22.5 million civil penalty. But $22.5 million represents a de minimis amount of Google's profit or revenues," Rosch wrote.

According to Google's Form 10-K filed with the Securities and Exchange Commission, Google brought in almost $38 billion in 2011, mostly from ad revenues. So a $22.5 million penalty, even being the "largest penalty" ever issued by the FCC, is relatively small, especially considering that the FCC considers Google to be a repeat offender on violating user privacy assurances.

Rosch has been inconsistent on browser privacy protection issues for consumers. For instance, he complained in June about Senate advocacy for Microsoft's policy of turning on a "do not track" feature in Internet Explorer 10 by default. Microsoft recently confirmed it was going ahead with this plan, even though the World Wide Web Consortium may be advocating for an opt-in approach. The do-not-track approach depends on voluntary observance by advertisers in order to work.

Google announced a new privacy policy on March 1 in a blog post. However, the new policy has been somewhat controversial because it combines information across its various services, such as Gmail and Docs or YouTube and Google search. Users have to sign into Google for the information sharing to take effect. The company "won't be selling your personal data," according to the blog post.